In this episode of the HIPAA Vault show, we dive into a significant cybersecurity event involving UnitedHealth and the massive ransomware cyberattack on Change Healthcare. After falling victim to a sophisticated ransomware attack, UnitedHealth was compelled to pay the ransom in Bitcoin to retrieve their compromised data. We explore the intricate details of the attack, the decision-making process behind paying the ransom, and the implications for healthcare data security. We also delve into the broader topic of Bitcoin and decentralized applications, discussing their role as secure systems in the digital economy. This segment will touch on how Bitcoin operates, its inherent security features, and its implications for the healthcare industry, especially in terms of protecting sensitive data against similar threats.
Do you have any remaining questions, requests, or just want to chat with us? Email us at podcast@hipaavault.com!
Transcript:
Adam
Hello, and welcome to the hipaa vault show, where we discuss all things hipaa compliance in the cloud. My name is Adam Zeineddine, and I’m joined, as always, by Gil Vidals.
Gil
Hey, Gil. Hey, Adam. Good to see you again.
Adam
Great to see you. So let’s dive into it, Gil, a little bit of trivia. Okay. Upfront on this podcast, I’m gonna ask you this question. So it’s. I want you to name the movie. So I’m going to give you a brief synopsis of a movie, and you’re going to try and name the movie. Does that sound good?
Gil
That sounds good.
Adam
Okay. So through a life of hard work, airline owner Tom Mullen has amassed a great deal of wealth. When a group of criminals want a piece of his cash, they kidnap his son for a $2 million ransom. Encouraged by his wife and an FBI agent, Tom prepares to pay the money, but the ransom drop goes awry. Enraged, Tom decides to turn the tables on the kidnappers by making the ransom a bounty on their heads, which he announces on national television. Any ideas?
Gil
Holy moly. Well, I can’t tell you that I’ve seen this movie, but it sounds like it’s worth watching, so there’s a bounce.
Adam
Really fun.
Gil
Yeah, I. You know what? I’m drawing blanks here. I don’t know.
Adam
All right, I’ll give you a hint. It stars Mel Gibson.
Gil
Oh, my goodness. So that’s an old movie back. I should know, because I’m a Mel Gibson fan, and I’ve been watching Mel Gibson movies for back in the day when he teamed up with Danny Glover. Yeah, on lethal weapon. Those were the big ones. But I don’t know. I don’t think I’ve seen this one.
Adam
The final clue is that the plot gives a very clear indication as to what the title might be.
Gil
Oh, ransomware. Ransom. Yes.
Adam
There we go. Ransom. Remember that?
Gil
You know, I’m pretty sure that I have seen it because I’ve seen all Mel Gibson’s movies, and it’s been a long time. You know, in this weekend, maybe I’m just gonna get a cup of tea, sit down, and watch this movie again.
Adam
Here on. On the screen. IMDb. Here it is. Ransom Gibson. Fun fact about this movie released in 1996, which is also the year in the. When the first Hippo law was passed.
Gil
Okay. I knew there had to be a tie in somewhere to our conversation. Yeah.
Adam
And also, another fun fact is that’s only a couple of months before HIPAA vault was founded, because were founded in 1997. Well, I’ll just check out with you.
Gil
Yeah, yeah, that’s right. You know what’s fun about these movies, too? I just saw an old movie yesterday with Robert De Niro and Meryl Streep. And they’re walking down the streets in New York and they stop to make a phone call and they have to use the phone booth, you know, and they’re always talking to each other. They always go. And it’s like they don’t even have phone booths in New York anymore.
Adam
Phones.
Gil
Yeah. So that’s, these movies are that old. Oh, look, you own one of them. Yeah, I had one of those. Those are just regular phones that have a little wireless. But yeah, that, boy, that was a long time ago.
Adam
All right, so that brings us on neatly to the breach of the week. And we’re actually following up on what were talking about last week, which is the United healthcare ransomware attack. And there’s some news that’s developed. Here’s CB’s news reporting on it. Unitedhealth paid ransom after massive change healthcare cyber attack. This is April 23. And it says, quoting a United health spokesperson, a ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure. A little bit more info on this, and this is not official, but it’s also being reported in media sources that the amount paid was 22 million in the form of bitcoin. Oh, wired.com.
Gil
You know, and bitcoin is soaring. And these guys are smart. They took payment in bitcoin, which is. Well, actually, it’s interesting. Bitcoin can be traced, but when, well, there you go.
Adam
Look, it says, the transaction visible on bitcoin’s blockchain suggests the victims of one of the worst ransom attacks in years may have paid a very large ransom.
Gil
Wow. Wow. Incredible podcast. These are very well organized criminals with lots of deep pockets, lots of money and lots of technology. And they are way ahead of us. And how do we know that for sure? Because they keep winning. They keep getting paid, they keep attacking, and they get paid more and more money. So they are way ahead of us. They’re winning big time. So it’s a problem.
Adam
It is, it is. I think, I think more and more is going to be, more information is going to be released as this develops. I’d be very interested to know where their data was hosted, whether it was an on premise kind of setup or if they were in one of the big clouds. And then, you know, what was lacking in terms of the security.
Gil
Yeah. I think one of the things that I’ve learned in the last, I don’t know, five years is that a lot of these situations become disastrous because the hackers that get in, they have exposure to everything. They’re able to get in and see everything and start encrypting all the data. And then, you know, the thing turns into a terrible situation. But the more modern way to secure things at them is like Google does, where they assume the attacker is already in from day one, which is a different model. So this old model is like a castle, where you build a perimeter, and then, you know, you hope to keep the bad guys out, but once they get in, they can do whatever they want. With Google’s model, you’re already pretending the bad guy’s inside the castle.
Gil
And so what you do, instead of having one castle that you’re protecting, you have a million castles, little tiny castles. And so you say, well, the bad guy got into one of a million castles. That’s terrible. But your other 999,000 castles are fine, and business can continue forward while you deal with the one. So that’s a different model where you’re segmenting and securing little areas here and there, and so that if they, even if they get in, it’s not disastrous. But these are, these companies are still operating in the old world, and once they get in, boy, they freeze their business to the tune of 22 million. They’re willing to pay 22 million to unlock their business. Yeah.
Adam
Yeah. Crazy. So it’s kind of like a decentralized security model that is being adopted more and more now, is that right?
Gil
Yes. Yes, it is being adopted more and more. The zero trust model is being implemented more where you have even employees only have access to certain areas. You don’t really trust anyone. You give employees what level they need, and then the bad guys, if they get in, they only have access to a little segment, and that’s a better model. And something I want to mention. Maybe we should do a whole podcast on it because it’s very interesting. This whole blockchain is intriguing because what blockchain did, and I hope people can understand this kind of hard concept, but the reason the blockchain is so powerful with bitcoin. You mentioned bitcoin a second. The reason it’s so powerful is because it’s secured with a physical force. Think about that. It’s secured with the physical force.
Gil
When you have software against software, and it’s all in the virtual world, there’s no presence in the real world. It’s all virtual. Virtual hacker attacks the virtual network of the other, of the good guy, and it goes back and forth and one wins, the other loses, and so on. But with the blockchain and bitcoin, what they’ve done is they’ve said, look, this. This is never going to end. The bad guys are always going to get in. Until bitcoin. Bitcoin invented something that was a first, and that is, let’s protect the network with physical force. And what is the physical force? Well, it’s the expenditure of energy, of electricity. And so if you want to tack bitcoin, it was estimated you would need.
Gil
I don’t remember the exact number, but it was billions and billions of dollars to build a network and to power it, to even attack it. So imagine you’d have to have that much money. So what’s the point of robbing a bank if the bank only has $10 in there? You spent a million to rob $10 doesn’t make sense. You wouldn’t do that. A robber would not go into a bank to take $10 if it costs him 1 million to get in. And that’s what bitcoin has done with the blockchain. They said, look, you can. You can come in and try to hack us, but you’re gonna have to spend 10 billion, and nobody has that kind of money. They don’t have the money to build.
Adam
An every ten minutes as well. You’d have to do it.
Gil
Yeah. Every walk, every block. So what are we trying to say here? In so many words, the solution is to have a presence in the physical world, a physical blockade, not just virtual, with software and all of that. And that’s where the failure is. This is a fundamental issue, and we have a solution with the example of bitcoin that was invented in 2009 by Satoshi Nakamoto. But we haven’t figured out necessarily how to use that same exact model with the hospitals and all what they’re doing. You know, how do they do that?
Gil
And I’m just waiting to see how that evolves, because we obviously are not winning with just inventing better software and better software tools, as long as it all stays in the cloud, in the virtual world, or even on your desktop, just so I don’t confuse people, even on your desktop, even in your company, as long as you’re dealing with computers and servers in your closet and you have software, you’re never going to win, because all you can do is improve the software. Until the bad guy figures out a way to overcome that improvement. You’re back to square one. So the only way to improve it is to make that bad guy have to use physical expenditure of energy, have them spend a lot of money to consume millions of dollars of power in order to attack you.
Gil
If he had doesn’t have to spend any power, any energy, then the attack is going to happen over and over again. Yeah, I think difficult concepts, but yeah.
Adam
Yeah, I think with these models, it seems like, you know, centralized versus decentralized, there’s going to come up a tipping point where it would centralize. The advantage is that you’re usually going to get higher efficiency when it comes to everything’s in one place. So if you need to access something, you know where it is and it’s, you know how long it takes to get in, get out. Whereas with decentralized, but with it being centralized, single point of failure, you know, it’s less secure. On the other hand, with decentralized, a lot more secure. But it can be tricky to make sure that it’s as efficient. And I think there’s going to come a tipping point where that efficiency on the decentralized front becomes worthwhile to do it on a commercial.
Gil
Yeah. I’d like to give the audience an example of how this proof of work was invented. It’s a very interesting story. So there was a young man in eastern. No, in Germany, I believe. His name is Adam back. And Adam back was trying to think of how to solve the problem of spam. So back in the day, when Adam back was trying to solve this problem, email was a free invention everyone was using. But then guess what? People started spamming and then you started getting just ten emails a day, you get a thousand. And how do you find a good email? You know, it was so annoying, right? So Adam back did something very interesting. He, he thought of the postage stamp.
Gil
When you send an e, when you send a mail, physical letter, you put a postage stamp on it and it costs, you say, ten cents. I know it’s a lot more expensive, but for this example, ten cents and then you mail it. Now that’s not a lot of money. You spend $0.10 in a letter. So he wanted to use the same idea. He said, what if every email that you sent cost you a little bit of electricity? Not much. Not much, just a little bit. And so his idea was fantastic, because if you’re just sending a dozen or two emails a day, the cost is so negligible that you wouldn’t notice it on your electric bill that month, when you open your electric bill, you wouldn’t notice anything. But let’s say the same person in his apartment is trying to send a million emails.
Gil
All those little stamps would add up. And you say, oh my gosh. You look at your electric bill the next month and you say, oh my gosh, I spent dollar 400 more than the previous month. So what he did was he invented a proof of work. If you want to send an email, he’s going to cost you something. And then, and then that called Emoney.
Adam
Or something like that.
Gil
Well, no, well, his was called hash cash. Hash cash. Yeah. So he invented that. And then Satoshi Nakamoto took that idea and brought it into his own model of how do we protect the network? And he used that proof of work invented by Adam back in hash cash to be able to say, hey, why don’t we use that same thing to protect, not spam email, not your email box, but let’s use it to protect money. So then he added that on there and then he thought of a beautiful way to say, well, now the money is protected because if you want to attack the network, you have to expend a certain amount of energy.
Gil
And he did that by saying, well, let’s see, if you’re going to mine bitcoin, it’s going to cost you so much power, cpu cycles, and you’ve got to pay for that. So really brilliant, really very innovative, very brilliant idea. And so what does that have to do with HIPAA vault or our conversation about protecting patient health information? This is an excellent way to protect health information to protect the bad guys from getting in. But I’m a little surprised. I mean, we’re, I’m not a software developer. Otherwise I probably would have tried to think of a way to do this myself. But there needs to be some kind of paradigm shift in the world of healthcare and EMR and EHR and all the software they need to figure out a way to use proof of work to somehow penetrate the software.
Gil
You’ve got to be able to expend a lot of power in order to access the data and access the application. And right now you don’t need any proof of work. You don’t need to expend anything. The hackers just get in through the back door and there they are.
Adam
Yeah.
Gil
Yeah.
Adam
So it’s almost like in order to participate in the service, you have to, for example, have a client installed locally that is connected to a payment, something along those or energy or. Yeah, something like that.
Gil
Yeah, something like that. It’s not. Yeah. And obviously it must be. The implementation must be tricky. Otherwise, I think many companies would have already done it now would have done it. So there’s something there that needs to click before it happens. But I think this is not. This isn’t just Gil’s idea or just sort of a vaporware. No. This already has existed since 2009. It was launched in December, I think, of, or January of 2010. And it’s been attacked so many times, attacked over and over again, and it’s resilient. It has stood the test of time 15 years now. So we know the solution is there, the technology is there, it’s open source, it works. And yet how come we can’t have that for EMR EHR and all the data in the hospital? Why don’t we have that?
Gil
It’s like something seems wrong here that we’ve had a solution for 15 years and we’re not adopting it and adapting it for the hospital. Hospital and the medical system. If we had been, we wouldn’t be having these ransomware attacks. It would be impossible because the 22 million they got paid is good money for them. That’s why they’re doing it. But if they had to spend $1 billion to attack the hospital, they wouldn’t do it. They say, look, it’s going to cost us a billion dollars to electric power. We can’t afford that, so we’re not going to even bother attacking it. Not worth it. So we know the solution. Unfortunately, we need some very smart people to somehow come up with this new protocol and implement it. But I think the solution is there. I really do.